Practicing a Science of Security: A Philosophy of Science Perspective

Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences.

[1]  A.W.M. Meijers,et al.  Philosophy of technology and engineering sciences , 2009 .

[2]  Anthony Dardis,et al.  Discovering Complexity: Decomposition and Localization as Strategies in Scientific Research. , 1995 .

[3]  Phillipp Frank,et al.  Logical Empiricism I , 2004, Synthese.

[4]  S. Jasanoff,et al.  The Fifth Branch: Science Advisers as Policymakers. , 1991 .

[5]  Martin H. Levinson The Intelligibility of Nature: How Science Makes Sense of the World , 2007 .

[6]  David J. Pym,et al.  The semantics of BI and resource tableaux , 2005, Mathematical Structures in Computer Science.

[7]  Alexander Kott,et al.  Towards Fundamental Science of Cyber Security , 2014, Network Science and Cybersecurity.

[8]  Dror G. Feitelson,et al.  From Repeatability to Reproducibility and Corroboration , 2015, OPSR.

[9]  John Bickle,et al.  Real Reduction in Real Neuroscience: Metascience, Not Philosophy of Science (and Certainly Not Metaphysics!) , 2008 .

[10]  Nancy Cartwright,et al.  Evidence-Based Policy: A Practical Guide to Doing It Better , 2012 .

[11]  Walter G. Vincenti,et al.  What Engineers Know and How They Know It: Analytical Studies from Aeronautical History. , 1992 .

[12]  Mary S. Morgan,et al.  Nature’s Experiments and Natural Experiments in the Social Sciences , 2013 .

[13]  Joseph Y. Halpern,et al.  Causes and Explanations: A Structural-Model Approach. Part I: Causes , 2000, The British Journal for the Philosophy of Science.

[14]  B. Gladman,et al.  Security Engineering: a Guide to Building Dependable Distributed Systems Physical Tamper Resistance 14.1 Introduction , 2022 .

[15]  Paul C. van Oorschot,et al.  SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[16]  Joseph Y. Halpern,et al.  Causes and Explanations: A Structural-Model Approach. Part II: Explanations , 2001, The British Journal for the Philosophy of Science.

[17]  John V. McCanny,et al.  Progress and Research in Cybersecurity - Supporting a resilient and trustworthy system for the UK , 2016 .

[18]  M. Kendall,et al.  The Logic of Scientific Discovery. , 1959 .

[19]  David J. Pym,et al.  A logic of separating modalities , 2016, Theor. Comput. Sci..

[20]  E. A. Kuznetsova WHAT IS SECURITY SCIENCE? , 2019, social & labor researches.

[21]  D McMorrow,et al.  Science of Cyber-Security , 2010 .

[22]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[23]  Stuart Glennan,et al.  Ephemeral Mechanisms and Historical Explanation , 2010 .

[24]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[25]  J. Norton There Are No Universal Rules for Induction , 2010, Philosophy of Science.

[26]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[27]  Salvatore J. Stolfo,et al.  Guest Editors' Introduction: The Science of Security , 2011, IEEE Secur. Priv..

[28]  Steven E. King,et al.  Science of Cyber Security , 2018, Lecture Notes in Computer Science.

[29]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[30]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[31]  C. Hempel The Function of General Laws in History , 1942 .

[32]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[33]  C. Craver Explaining the Brain: Mechanisms and the Mosaic Unity of Neuroscience , 2007 .

[34]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[35]  Liqun Chen,et al.  1 Trust and Legitimacy in Security Standardization – a new Management Issue ? , 2016 .

[36]  T. Kuhn,et al.  The Structure of Scientific Revolutions. , 1964 .

[37]  Mary S. Morgan,et al.  Resituating Knowledge: Generic Strategies and Case Studies , 2014, Philosophy of Science.

[38]  Jon Williamson,et al.  What is a mechanism? Thinking about mechanisms across the sciences , 2012 .

[39]  David J. Pym,et al.  A Discipline of Mathematical Systems Modelling , 2012 .

[40]  Peter W. O'Hearn,et al.  The Logic of Bunched Implications , 1999, Bulletin of Symbolic Logic.

[41]  P. Machamer,et al.  Thinking about Mechanisms , 2000, Philosophy of Science.

[42]  Walter G. Vincenti,et al.  What Engineers Know and How They Know It: Analytical Studies from Aeronautical History , 1990 .

[43]  J. Woodward,et al.  Saving the phenomena , 1988 .

[44]  Ray Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[45]  Eran Tromer,et al.  Developing a blueprint for a science of cybersecurity , 2022 .

[46]  Jonathan M. Spring,et al.  Why Separation Logic Works , 2019 .

[47]  R. Stake The art of case study research , 1995 .

[48]  Sabina Leonelli,et al.  The Impure Nature of Biological Knowledge. , 2009 .

[49]  Julia Eichmann,et al.  Making Software - What Really Works, and Why We Believe It , 2011, Making Software.

[50]  Jonathan M. Spring,et al.  Exploring a Mechanistic Approach to Experimentation in Computing , 2014 .

[51]  N. Cartwright Replicability, Reproducibility, and Robustness: Comments on Harry Collins , 1991 .

[52]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[53]  B. V. Koen,et al.  Discussion of the Method : Conducting the Engineer's Approach to Problem Solving , 2003 .

[54]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[55]  J. J. C. Smart,et al.  The Structure of Science. Problems in the Logic of Scientific Explanation , 1962 .

[56]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[57]  H. Kyburg,et al.  How the laws of physics lie , 1984 .

[58]  E. Nagel The structure of science : problems in the logic of scientific explanation , 1961 .

[59]  A. Philip Dawid,et al.  Beware of the DAG! , 2008, NIPS Causality: Objectives and Assessment.

[60]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[61]  Eric Hatleback,et al.  The protoscience of cybersecurity , 2018 .

[62]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[63]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[64]  Lorrie Faith Cranor,et al.  Building an Ontology of Cyber Security , 2014, STIDS.

[65]  L. Given,et al.  The SAGE encyclopedia of qualitative research methods , 2011 .

[66]  Constantinos Syropoulos,et al.  Trading with the Enemy , 2016 .

[67]  Joseph Y. Halpern,et al.  Causes and explanations: A structural-model approach , 2000 .

[68]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[69]  H. Simon,et al.  The sciences of the artificial (3rd ed.) , 1996 .

[70]  J. Woodward Making Things Happen: A Theory of Causal Explanation , 2003 .

[71]  C. Craver Explaining the Brain , 2007 .

[72]  Brian Balmer,et al.  Secrecy and Science: A Historical Sociology of Biological and Chemical Warfare , 2012 .

[73]  L. Darden Reasoning in Biological Discoveries: Essays on Mechanisms, Interfield Relations, and Anomaly Resolution , 2006 .

[74]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[75]  Stuart Glennan Mechanisms and Mechanical Philosophy , 2016 .

[76]  Victoria Stodden,et al.  Reproducing Statistical Results , 2015 .

[77]  David J. Pym,et al.  Improving Security Policy Decisions with Models , 2015, IEEE Security & Privacy.

[78]  William Bechtel,et al.  Discovering Complexity: Decomposition and Localization as Strategies in Scientific Research , 2010 .

[79]  Jonathan M. Spring,et al.  Thinking about intrusion kill chains as mechanisms , 2017, J. Cybersecur..

[80]  Phyllis Illari,et al.  The Routledge Handbook of Mechanisms and Mechanical Philosophy , 2017 .

[81]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[82]  A. J. Ayer,et al.  The Vienna Circle , 1981 .

[83]  Mark Gould,et al.  Nuts and bolts for the social sciences , 1991 .

[84]  William Casey,et al.  Cybersecurity and Applied Mathematics , 2016 .

[85]  Herbert A. Simon,et al.  The Sciences of the Artificial , 1970 .

[86]  Kat Krol,et al.  Towards Robust Experimental Design for User Studies in Security and Privacy , 2016 .

[87]  Keith A. Markus,et al.  Making Things Happen: A Theory of Causal Explanation , 2007 .